Ascension Health is alerting more than 100,000 individuals that their personal and health data was stolen in a breach connected to a third-party software vulnerability—another ripple effect of the Cl0p ransomware group’s attack on Cleo’s file transfer platform.

The nonprofit, which operates one of the largest healthcare systems in the U.S., discovered the incident on December 5, 2024. While Ascension wasn’t directly breached, the compromise occurred through a former business partner’s system, where the data had been inadvertently exposed.

If that sounds familiar, it’s because this aligns closely with the Cleo zero-day campaign, where Cl0p exploited two previously unknown flaws to exfiltrate sensitive data from dozens of companies, including Hertz Corporation and Western Alliance Bank.

In this case, the stolen data includes:

• Names, addresses, phone numbers, and emails
• Dates of birth and Social Security numbers
• Diagnosis and insurance information
• Details of inpatient visits

While Ascension hasn’t released an official total, breach notifications submitted to Massachusetts and Texas regulators confirm that at least 114,700 people were affected across Alabama, Michigan, Indiana, Tennessee, and Texas.

The organization is offering two years of free credit monitoring and identity theft protection to those affected. But for IT and security leaders, the key takeaway here is how indirect exposure through vendor relationships continues to be a high-risk blind spot.

It’s also worth noting that this is Ascension’s second data breach in less than a year. In May 2024, the organization disclosed that a BlackBasta ransomware attack had impacted 5.6 million individuals.

This latest incident reinforces a broader pattern we’re seeing more often—attackers don’t need to breach your network directly to access your data. Increasingly, they’re going after the vendors and former partners still sitting quietly in the supply chain.